Merge pull request #10 from enguerr/master

add compatibility with CEPH S3 and s3cmd

Author: Kriechi

handler.go

@@ -17,7 +17,10 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-z]+-?[a-z]+-?[0-9]+)/s3/aws4_request")
+// - new less strict regexp in order to allow different region naming (compatibility with other providers)
+// - east-eu-1 => pass (aws style)
+// - gra => pass (ceph style)
+var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-zA-Z-0-9]+)/s3/aws4_request")
 var awsAuthorizationSignedHeadersRegexp = regexp.MustCompile("SignedHeaders=([a-zA-Z0-9;-]+)")
 
 // Handler is a special handler that re-signs any AWS S3 request and sends it upstream
@@ -225,9 +228,16 @@ func (h *Handler) buildUpstreamRequest(req *http.Request) (*http.Request, error)
 		return nil, err
 	}
 
+	// WORKAROUND S3CMD which dont use white space before the some commas in the authorization header
+	fakeAuthorizationStr := fakeReq.Header.Get("Authorization")
+	// Sanitize fakeReq to add white spaces after the comma signature if missing
+	authorizationStr := strings.Replace(req.Header["Authorization"][0], ",Signature", ", Signature", 1)
+	// Sanitize fakeReq to add white spaces after the comma signheaders if missing
+	authorizationStr = strings.Replace(authorizationStr, ",SignedHeaders", ", SignedHeaders", 1)
+
 	// Verify that the fake request and the incoming request have the same signature
 	// This ensures it was sent and signed by a client with correct AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
-	cmpResult := subtle.ConstantTimeCompare([]byte(fakeReq.Header["Authorization"][0]), []byte(req.Header["Authorization"][0]))
+	cmpResult := subtle.ConstantTimeCompare([]byte(fakeAuthorizationStr), []byte(authorizationStr))
 	if cmpResult == 0 {
 		v, _ := httputil.DumpRequest(fakeReq, false)
 		log.Debugf("Fake request: %v", string(v))

handler_test.go

@@ -79,6 +79,12 @@ func verifySignature(w http.ResponseWriter, r *http.Request) {
 	signer.Sign(r, body, "s3", "eu-test-1", signTime)
 	expectedAuthorization := r.Header["Authorization"][0]
 
+	// WORKAROUND S3CMD who dont use white space before the comma in the authorization header
+	// Sanitize fakeReq to remove white spaces before the comma signature
+	receivedAuthorization = strings.Replace(receivedAuthorization, ",Signature", ", Signature", 1)
+	// Sanitize fakeReq to remove white spaces before the comma signheaders
+	receivedAuthorization = strings.Replace(receivedAuthorization, ",SignedHeaders", ", SignedHeaders", 1)
+
 	// verify signature
 	fmt.Fprintln(w, receivedAuthorization, expectedAuthorization)
 	if receivedAuthorization == expectedAuthorization {
@@ -143,6 +149,24 @@ func TestHandlerValidSignature(t *testing.T) {
 	assert.Equal(t, 200, resp.Code)
 	assert.Contains(t, resp.Body.String(), "Hello, client")
 }
+func TestHandlerValidSignatureS3cmd(t *testing.T) {
+	h := newTestProxy(t)
+
+	req := httptest.NewRequest(http.MethodGet, "http://foobar.example.com", nil)
+	signRequest(req)
+	// get the generated signed authorization header in order to simulate the s3cmd syntax
+	authorizationReq := req.Header.Get("Authorization")
+	// simulating s3cmd syntax and remove the whites space after the comma of the Signature part
+	authorizationReq = strings.Replace(authorizationReq, ", Signature", ",Signature", 1)
+	// simulating s3cmd syntax and remove the whites space before the comma of the SignedHeaders part
+	authorizationReq = strings.Replace(authorizationReq, ", SignedHeaders", ",SignedHeaders", 1)
+	// push the edited authorization header
+	req.Header.Set("Authorization", authorizationReq)
+	resp := httptest.NewRecorder()
+	h.ServeHTTP(resp, req)
+	assert.Equal(t, 200, resp.Code)
+	assert.Contains(t, resp.Body.String(), "Hello, client")
+}
 
 func TestHandlerInvalidCredential(t *testing.T) {
 	h := newTestProxy(t)